Re: [PATCH] Remove unnecessary unbind in LDAP search+bind mode

On 23.03.23 02:45, Anatoly Zaretsky wrote:
> Comments in src/backend/libpq/auth.c [1] say:
> (after successfully finding the final DN to check the user-supplied 
> password against)
> /* Unbind and disconnect from the LDAP server */
> and later
> /*
> * Need to re-initialize the LDAP connection, so that we can bind to
> * it with a different username.
> */
> 
> But the protocol actually permits multiple subsequent authentications 
> ("binds" in LDAP parlance) over a single connection [2].
> Moreover, inspection of the code revision history of mod_authnz_ldap, 
> pam_ldap, Bugzilla, and MediaWiki LDAP authentication plugin, shows that 
> they've been doing this bind-after-search over the same LDAP connection 
> for ~20 years without any evidence of interoperability troubles.

> So, it seems like the whole connection re-initialization thing was just 
> a confusion caused by this very unfortunate "historical" naming, and can 
> be safely removed, thus saving quite a few network round-trips, 
> especially for the case of ldaps/starttls.

Your reasoning and your patch look correct to me.